Re: [Qemu-devel] vTPM 2.0 is recognized as vTPM 1.2 on the Win 10 virtual machine

[Marc-André Lureau]

Hi
On Thu, Aug 16, 2018 at 3:29 AM 汤福 <address@hidden> wrote:
>
> Hi,
>
> I want to use the vTPM in a qemu Windows image. Unfortunately, it didn't work.
> First, the equipment:
> TPM 2.0 hardware
> CentOS 7.2
> Qemu v2.10.2
> SeaBIOS 1.11.0
> libtpm and so on
>
> My host is centos 7.2 with the TPM 2.0 hardware and qemu v2.10.2.
> I make the libtpm and seabios with ./configure, make and so on. I checked 
> seabios with make menuconfig the TPM setting. It is enabled tpm by default.
> Eventually, all works without errors.
>
> I start the Widnows 10 image with:
> qemu-system-x86_64 -display sdl -enable-kvm -m 2048 -boot d -bios bios.bin 
> -boot menu=on -tpmdev 
> cuse-tpm,id=tpm0,cancel-path=/dev/null,type=passthrough,path=/dev/tpm0  
> -device tpm-tis,tpmdev=tpm0 win10.img
>
>
> First it looks all fine. Windows 10 booted up but the vTPM was recognized as 
> TPM 1.2 instead of TPM 2.0 in device manager. I open the tpm Manager with 
> tpm.msc but get error with No compatible TPM found.
> If I use vTPM in a qemu linux image, everything gose well.
>
>
> So, what could be the problem?

You need to build libtpms & swtpm from Stefan tpm2-preview branches.
(Alternatively, there is now an experimental fedora copr repository:
https://copr.fedorainfracloud.org/coprs/stefanberger/swtpm/)

I suggest to setup the VM with libvirt upstream, which will do the
preliminary swtpm_setup for you, or follow
https://github.com/stefanberger/swtpm/wiki/Certificiates-created-by-swtpm_setup

For Windows TPM 2 support, you will need the TPM CRB device, and
upstream OVMF compiled with  -D TPM2_ENABLE (TIS & Bios are 1.2 only
for Windows, even if seabios does have some 2.0 support with them)

Furthermore, to pass the WLK tests, you need PPI & MOR interface,
which are still pending merge ([PATCH v9 0/6] Add support for TPM
Physical Presence interface)




-- 
Marc-André Lureau